From 940febc3e80cfd0c01b5cc8282ebaab6b024d1b5 Mon Sep 17 00:00:00 2001
From: undergroundwires <git@undergroundwires.dev>
Date: Sun, 17 Dec 2023 18:08:23 +0100
Subject: [PATCH] Fix CSP for Vue, Ace, Vite, Safari compatibility

Relax Content Security Policy (CSP) to ensure essential functionality
of Vue, Ace and Vite legacy along with functioning developer experience
with macOS Safari.
---
 src/presentation/index.html | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/presentation/index.html b/src/presentation/index.html
index 4e4b7ebe..6023bb5d 100644
--- a/src/presentation/index.html
+++ b/src/presentation/index.html
@@ -10,16 +10,24 @@
     content="Web tool to generate scripts for enforcing privacy & security best-practices such as stopping data collection of Windows and different softwares on it." />
   <link rel="icon" href="/favicon.ico">
 
-  <!-- Security meta tags based on OWASP recommendations, see https://owasp.org/www-project-secure-headers/ci/headers_add.json -->
+  <!--
+    Security meta tags based on OWASP recommendations.
+    See https://owasp.org/www-project-secure-headers/ci/headers_add.json for all recommended policies.
+    Exceptions:
+      - [+] `style-src 'unsafe-inline'`   : Required for Vue.
+      - [+] `img-src data:`               : Required for Ace (code editor) CSS.
+      - [+] `script-src: 'unsafe-inline'` : Required for Vite legacy (@vitejs/plugin-legacy) for production builds.
+      - [-] `upgrade-insecure-requests`     : Required for development on macOS Safari or Safari will block requests on `http://localhost`.
+  -->
   <meta
     http-equiv="Content-Security-Policy"
     content="
       default-src 'self';
+      script-src 'self' 'unsafe-inline';
       style-src 'self' 'unsafe-inline';
       img-src 'self' data:;
       form-action 'self';
       object-src 'none';
-      upgrade-insecure-requests;
       block-all-mixed-content;
     "
   >